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Loss of control (LOC) is one of the largest contributors to fatal aircraft accidents 
worldwide. LOC accidents are complex in that they can result from numerous causal and 
contributing factors acting alone or (more often) in combination. These LOC hazards 
include vehicle impairment conditions, external disturbances; vehicle upset conditions, and 
inappropriate crew actions or responses. Hence, there is no single intervention strategy to 
prevent these accidents. NASA previously defined a comprehensive research and technology 
development approach for reducing LOC accidents and an associated integrated system 
concept. Onboard technologies for improved situation awareness, guidance, and control for 
LOC prevention and recovery are needed as part of this approach. Such systems should 
include: LOC hazards effects detection and mitigation; upset detection, prevention and 
recovery; and mitigation of combined hazards. NASA is conducting research in each of 
these areas. This paper provides an overview of this research, including the near-term LOC 
focus and associated analysis, as well as preliminary flight system architecture. 


I. Introduction 

L OSS of control (LOC) is one of the largest contributors to fatal aircraft accidents worldwide. As shown in 
Figure 1, in-flight LOC was the largest fatal accident category for jet transport accidents worldwide from 2001 
through 2010, and resulted in 20 accidents and 1,841 fatalities. 1 LOC is a significant contributor to accidents and 
fatalities across all vehicle classes, operational categories, and phases of flight. 2, 3 It is also a complex event, usually 
resulting from multiple causal and contributing factors that can occur individually or (more often) in combination. 
There is therefore no single intervention strategy that can be readily identified to prevent LOC accidents. 

A detailed analysis of aircraft accidents was performed to identify worst case combinations of LOC precursors 
and how they sequence in time. 4 The analysis performed in Ref. 4 included accidents that involved vehicle upsets, 
as well as those involving failures, impairment, or damage to the flight control capability of the aircraft or to the 
vehicle airframe (when the damage was sufficient to alter vehicle dynamics and control characteristics) whether or 
not these factors led to an upset. The data set used in the analysis consisted of 126 accidents that resulted in 6087 
fatalities during the period from 1979-2009. The analysis included the identification of worst case combinations of 
causal and contributing factors and a detailed compilation of LOC sequences based on temporal ordering of causal 
and contributing factors. A list of the top 10 LOC summarized sequences was developed, which represents 86.5% 
of the accidents considered in the paper. A set of 7 generalized LOC sequences was also defined, which are 
representative of 88.9% of the accidents considered in the study. A preliminary identification of potential future 
LOC risks was also presented. 

Based on the above LOC problem analysis, a comprehensive research and technology development approach 5,6 
for reducing LOC accidents was developed to provide prevention, avoidance, detection, mitigation, and recovery 
capabilities across a wide spectrum of LOC precursor combinations and sequences. The approach includes the 
development of (i) modeling and simulation technologies for characterizing vehicle dynamics and control 
characteristics under off-nominal precursor conditions associated with LOC events; (ii) vehicle health management 
(VHM) technologies for the detection, identification, characterization, and containment of airframe and system 
failures and damage (as well as their prevention though improved maintenance, inspection, and vehicle design); 
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(iii) flight safety assessment and resilient guidance and control technologies for the rapid assessment of off-nominal 
condition effects and their mitigation; and (iv) crew interface technologies for improved situation awareness (SA) 
and variable autonomy under off-nominal conditions. An associated high-level integrated system concept, called the 
Aircraft Integrated Resilient Safety Assurance and Failsafe Enhancement (AIRSAFE) System, was defined as part 
of the approach. Figure 2 depicts the AIRSAFE System concept. 
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Figure 1. Aircraft accident statistics for worldwide commercial jet fleet, 2001 - 2010. 


The core subsystems include vehicle health management (shown in green), vehicle flight safety management and 
resilient guidance and control (shown in blue), and crew-system interfaces (shown in yellow). Onboard modeling 
capability is reflected by purple. Multi-colored boxes represent shared functions between the associated subsystems. 
A more detailed description of the functions within each block of Fig. 2 was also provided in Refs. 5 and 6. 

This paper provides an overview of the research being conducted by the Vehicle Systems Safety Technologies 
(VSST) Project within the National Aeronautics and Space Administration’s (NASA) Aviation Safety Program 
(AvSP), with an emphasis on research that addresses LOC. Section II provides a general overview of the VSST 
Project. Section III provides an overview of VSST research that addresses LOC, and a detailed overview of 
guidance, control, and systems (GCS) technologies being developed for LOC prevention and recovery. The LOC 
hazards being addressed in the near-term are presented with the associated analysis, and a preliminary GCS 
architecture for technology integration and implementation is presented. Section IV illustrates the potential 
effectiveness of these technologies and briefly discusses their evaluation. Section V completes the paper with a 
summary and some concluding remarks. 
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Figure 2. Aircraft Integrated Resilient Safety Assurance and Failsafe Enhancement (AIRSAFE) System. 


II. Vehicle Systems Safety Technologies (VSST) Project Overview 


The VSST Project is developing technologies for improved vehicle and vehicle systems safety under current and 
future safety risks. The VSST Project is focused on three primary safety risk areas, as illustrated in Fig. 3. 


Safe vehicle operations 
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Figure 3. Vehicle Systems Safety Technologies (VSST) Project overview. 
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Vehicle-centric safety risk focuses on the crew, the vehicle, and the flight. The flight crew and aircraft comprise the 
first and second causal factor of commercial transport accidents worldwide, and LOC is the leading pre-crash 
consequence associated with these and other causal and contributing factors. 7 These three risk areas therefore 
comprise the three technical challenges being addressed by the VSST Project: 1.) Improve crew decision-making 
under complex situations (CDM); 2.) Maintain vehicle safety between major inspections (MVS); and 3.) Assure 
safe and effective control under hazardous conditions (ASC). 

CDM research focuses on the development of advanced flight deck technologies to improve SA, ensure pilot 
engagement on safety-critical tasks, and provide integrated information management and critical decision support. 
The development of pilot proficiency standards for maintaining manual handling skills under increasing flight deck 
automation is also a subject of research within CDM. Complex flight situations related to unexpected events and 
operations under the Next Generation Air Transportation System (NextGen) 8-9 is a key aspect of the research within 
CDM. 

MVS research focuses on the development of sensors and diagnostic tools for preventing critical vehicle and 
system failures, high-temperature engine sensor systems for reliable engine health monitoring, and airframe and 
engine materials and coatings that detect and minimize damage related to fatigue, fracture, delamination, and 
corrosion. 

ASC research focuses on the development of vehicle dynamics modeling and simulation technologies for 
characterizing LOC precursor conditions, and onboard GCS technologies for LOC prevention and recovery. Vehicle 
dynamics modeling and simulation methods are being developed for characterizing vehicle upset and impairment 
conditions. Existing external disturbance models will also be integrated into the resulting simulations. The GCS 
technologies are being developed to mitigate hazardous conditions that can lead to LOC. These technologies will 
be described in more detail in Section III. 

Assuring safe vehicle operations at the top of Fig. 3 represents a parallel effort on comprehensively evaluating 
and validating the technologies developed within CDM, MVS, and ASC to assure that these technologies are 
effective in improving safety. Validation of VSST technologies developed for LOC prevention and recovery is the 
subject of a companion paper (see Ref. 30). This will also be briefly discussed in Section IV. 


III. VSST Research and Technology Development for LOC Prevention and Recovery 

Due to LOC complexity, significant reduction of LOC accidents will require a multi-pronged coordinated effort 
that includes improved crew training and onboard systems technologies. This section provides an overview of the 
research approach being taken by NASA within the VSST Project for LOC prevention and recovery, with an 
emphasis on the GCS technologies development. Technology needs are discussed first, followed by the near-term 
research focus, an overview of VSST technologies that are being developed to address LOC, and a detailed 
description of GCS technologies that are under development for LOC prevention and recovery. 

LOC can be described as motion that is: outside the normal operating flight envelopes; not predictably altered by 
routine pilot control inputs; characterized by nonlinear effects, such as kinematic/inertial coupling; 
disproportionately large responses to small state variable changes, or oscillatory/divergent behavior; likely to result 
in high angular rates and displacements; and characterized by the inability to maintain heading, altitude, and wings- 
level flight. 10 LOC is therefore fundamentally a dynamics and control problem, but there are many causal and 
contributing factors that can lead to LOC. The primary causes include: entry into a vehicle upset condition; 
reduction or loss of control power; changes to the vehicle dynamic response in relation to handling/flying qualities; 
and combinations of these causes. There are numerous factors that have historically led or contributed to LOC. 
These can be grouped into three major categories: adverse onboard conditions, external hazards and disturbances, 
and abnormal flight conditions (or vehicle upsets). LOC causal and contributing factors within these categories are 
summarized in Fig. 4. Adverse onboard conditions includes vehicle problems (i.e., impairment, failures, or 
damage) and inappropriate crew response. External hazards and disturbances consist of inclement weather 
conditions, atmospheric disturbances, and obstacles that require abrupt maneuvering for avoidance. Vehicle upset 
conditions include a variety of off-nominal or extreme flight conditions and abnormal trajectories. The complexity 
of LOC is clearly illustrated in Fig. 4, particularly considering that many LOC accidents involve combinations of the 
causal and contributing factors that are listed. 
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Adverse onboard conditions: 

-vehicle impairment 

» inappropriate vehicle configuration, contaminated airfoil, 
and impropervehicle loading 
-system faults, failures, and errors 

» resulting from design flaws, software errors, or improper 
maintenance actions 

-vehicle damage to airframe and engines 
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External hazards and disturbances: 

-poor visibility 
-wake vortices 

-wind shear, turbulence, and thunderstorms 
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-abrupt maneuvers for obstacle avoidance or collisions 

Vehicle upsets: 

-abnormal attitude 

-abnormal airspeed, angular rates, or asymmetric forces 
-abnormal flight trajectory 
-uncontrolled descent (including spiral dive) 
-stall/departure from controlled flight 


Figure 4. LOC key characteristics, primary causes, and causal & contributing factors. 


B. Technology Needs for LOC Prevention 

Inappropriate crew response is often listed as a causal or contributing factor in LOC accidents. Two primary 
limitations can be attributed to this problem: limitations in crew training related to LOC, and limitations of onboard 
systems in providing SA to the crew under LOC precursor conditions. Current crew training under LOC conditions 
is limited because of model limitations for full stall and other upset conditions, failures and damage, and 
environmental hazards. There is also evidence that manual handling skills under increasing automation in the flight 
deck are not being reinforced through crew training . 11 Current onboard systems do not clearly inform of impending 
loss of control or provide effective control under hazardous conditions. 

Current aircraft guidance and control systems are designed independently for operation under nominal flight 
conditions, and can disengage unexpectedly under off-nominal conditions. Disengagement of these systems can 
occur without advance warning, during periods of peak workload or confusion by the crew, and often result in 
control input transients that further exacerbate conditions that can lead to LOC. Current envelope protection 
systems provide limited capabilities in that they are designed for nominal aircraft based on a priori fixed limits and 
depend upon valid sensor inputs. In particular, they are generally not effective under vehicle impairment conditions, 
and may disengage under extreme upset conditions and control surface or sensor failures . 12 

Future potential LOC risks must also be considered in identifying technology needs. Increasing demands on the 
national airspace has necessitated development of and transition to the Next Generation Air Transportation System 
(NextGen). Operation under NextGen will include high-density operations, efficient trajectories for four- 
dimensional operations, and self-spacing. These operational changes could require a higher demand on the flight 
crew, and could result in a higher number of external hazards encounters (e.g., wake vortices), particularly in the 
terminal area. Future aircraft are being developed for high efficiency and reduced weight. Future airframes are 
therefore likely to be more flexible, with a higher susceptibility to aeroelastic and aeroservoelastic structural modes. 
Composite materials are being increasingly incorporated into new vehicle designs, and future aircraft configurations 
could depart from the conventional tube-and-wing design. Damage and damage propagation properties associated 
with new materials could be very different from those associated with current materials, and vehicle upset properties 
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associated with new vehicle configurations could also be very different from those associated with conventional 
aircraft designs. All of these factors provide a potential for increased LOC risk unless proactive steps are taken to 
define, prioritize, and mitigate the associated hazards. 

Improved modeling and simulation technologies are needed to support improved crew training under LOC 
conditions, as well as for the development and evaluation of onboard systems technologies. Enhanced simulations 
must be capable of characterizing representative LOC scenarios, and these simulations must be representative of 
current and future vehicle classes. Improved training methods are needed to ensure that manual handling skills are 
retained despite increasing levels of flight deck automation. 

Onboard systems technologies for improved SA, guidance, and control under operationally relevant LOC 
scenarios are needed for LOC prevention and recovery. Such systems should include: external hazards effects 
detection and mitigation; upset detection, prevention, and recovery; vehicle impairment detection and mitigation, 
and an integrated approach that enables the detection and mitigation of multiple hazards simultaneously. 

C. Near-Term LOC Research Focus 

The complexity of LOC as illustrated in Fig. 4 requires that key causal and contributing factors be identified as a 
focus for near-term VSST research. This near-term focus is based on the analysis presented in Ref. 4, as well as a 
recent analysis of the Commercial Aviation Safety Team (CAST) Joint Safety Analysis Team (JSAT) for Loss of 
Aircraft State Awareness. Although a final report on this analysis is not yet available, a related report on mode 
awareness and energy state management within flight deck automation is available. 13 In order to remove the 
potential for including precursor effects that may have already been resolved or masking emerging precursor 
combinations, only accident data over the most recent 10-year period was assessed from Ref. 4. This near-term 
analysis was based on 64 accidents (with 2821 fatalities) that occurred over the time period 2000-2009. Figure 5 
shows a scatter plot of this analysis as well as a selected potential future risk from NextGen, and illustrates the near- 
term LOC problem focus. As indicated in the figure, near-term VSST research will focus on multiple hazards 
stemming from vehicle problems, external hazards, and crew errors. Vehicle-related hazards include system faults 
and failures and vehicle impairment conditions (airframe and engine) resulting from icing effects. External hazards 
include icing conditions and wake vortices, with wakes being considered as a potential future hazard resulting from 
high-density terminal area operations. Crew-related hazards include loss of energy state awareness (LESA) and 
spatial disorientation (SD), both of which can lead to various upsets including stalls and departures. 
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Figure 5. Near-term LOC problem focus. 
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D. VSST LOC Research Approach 


A comprehensive research and technology development approach for reducing LOC accidents was defined in 
Ref. 5 to provide prevention, avoidance, detection, mitigation, and recovery capabilities across a wide spectrum of 
LOC precursor combinations and sequences. This approach provides multiple opportunities of breaking LOC 
sequences at nearly every stage, which maximizes the potential to prevent LOC accidents. Figure 6 depicts the basic 
idea of this approach, as illustrated for an example generalized LOC sequence identified in Ref. 4. This generalized 
sequence is representative of 20 accidents (16%) and 907 fatalities (15%) from the analysis of Ref. 4. The LOC 
sequence of Figure 6 is initiated by either a vehicle impairment/damage or system fault/failure condition or an 
external hazard or disturbance, such as wind shear or icing (the latter of which can result in vehicle impairment). 
The second element in this sequence is an inappropriate crew response (including an inappropriate action, control 
input, or inaction). The inappropriate response could result from poor SA under the vehicle impairment or external 
hazard condition, spatial disorientation under poor visibility conditions, mode confusion associated with flight deck 
automation, or some other condition (e.g., crew incapacitation). The third element of this sequence is a vehicle 
upset. As indicated in Fig. 6, the LOC sequence can be broken if effective intervention strategies can be developed 
to avoid/detect adverse vehicle and external hazard conditions, if vehicle problems and external hazards can be 
mitigated when they occur, and if upset recovery can be accomplished when prevention is not successful. 


Prevent/ Avoid / Detect Mitigate Recover 

i ‘ 1 



• Vehicle Impairment, Fault, 
Failure, Damage 

• External Hazard / 
Disturbance 


• Poor Situation Awareness / Distraction 

• Spatial Disorientation (Poor Visibility) 

• Mode Confusion (System Complexity) 


• Abnormal Attitudes 

• Abnormal Trajectory 

• Stall/Departure 


Figure 6. Comprehensive approach to breaking LOC sequences (Ref. 5). 

Figure 7 provides a summary of the VSST technologies under development that relate to LOC prevention and 
recovery in the context of the near-term focus of Fig. 5 and the research approach of Fig. 6. VSST LOC-related 
research focuses on the prevention and/or mitigation of inappropriate crew response, vehicle impairment conditions, 
and atmospheric disturbances. 

Inappropriate crew response is often a causal or contributing factor in LOC accidents. Prevention of 
inappropriate crew actions is being addressed through improved training, situation awareness, and flight deck 
countermeasures. Improved training is enabled through enhanced vehicle dynamics models and simulations that 
more accurately characterize LOC precursor effects and by establishing training standards for retaining improved 
manual flying proficiency. Improved situation awareness is enabled by ensuring that information is provided on the 
current aircraft state, including energy and attitude states as well as any vehicle impairment conditions and the 
associated dynamics and control implications. Countermeasures for preventing and mitigating the effects of spatial 
disorientation and crew distraction are also being developed. 

Vehicle impairment resulting from system and component failures or icing effects can also contribute to LOC. 
Methods for failure prevention are being developed under MVS and are accomplished through improved design and 
early detection of anomalies. Real-time detection and mitigation of failures that do still occur, particularly those that 
directly impact vehicle dynamics and control characteristics, are being developed under ASC. Icing effects 
detection, identification, and mitigation are also under development within ASC. While the detection of 
environmental hazards is not explicitly being addressed under VSST, methods for the mitigation of their effects is 
being considered under ASC, with a focus on wake vortex and turbulence encounters. Turbulence is included 
because it often accompanies icing conditions. Multiple hazards effects from all of these categories are also being 
addressed under ASC, as well as methods for assessing their implications on flight safety. Specific aspects of flight 
safety being addressed include identification of maneuverability constraints resulting from vehicle impairment 
conditions, detection of the onset of a vehicle upset condition (in the presence of other hazards, including 
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inappropriate control inputs by the crew), and LOC prediction methods. This information is provided to the crew as 
well as to the resilient vehicle systems. Guidance on upset recovery, recovery time, and recovery state are also 
provided. 
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Figure 7. VSST integrated technologies for LOC prevention and recovery. 


E. Integrated GCS Research Description and System Architecture 

An overview of the GCS research component of Fig. 7 and the approach of Ref. 5 is depicted in Fig. 8. Research 
and technology development is focused on onboard systems technologies for LOC prevention, with an emphasis on 
improved guidance and control under multiple hazards. In order to address improved SA under LOC hazards, novel 
methods for LOC prediction are being developed, as well as methods for dynamic envelope protection that enable 
protection in the presence of vehicle impairment conditions. Explicit methods for upset onset detection, prevention, 
and recovery will also be developed, as well as advanced control methods for the mitigation of multiple hazards and 
their impacts on vehicle dynamics and control. Partnerships will also be established through a LOC Working Group 
to assist in identifying emergent risks, defining LOC test scenarios for technology evaluation, developing validation 
requirements, and facilitating technology transfer. 

In order to implement the research approach of Fig. 8, an integrated GCS architecture is needed as a research 
framework and for system development and integration. Figure 9 provides a preliminary integrated GCS 
architecture for LOC prevention and recovery. The colors depicted in Fig. 9 are consistent with those of the 
AIRSAFE System concept of Fig. 2; i.e., in Fig. 9: vehicle health state detection capabilities are indicated by green, 
vehicle flight safety state assessment and resilient guidance and control capabilities are shown in blue, crew-system 
interface information and support capabilities are shown in yellow, and onboard modeling capabilities are shaded 
purple. The signals depicted in Fig. 9 represent vector quantities and are defined as follows: “x” is the vehicle state, 
“y” represents measurable outputs, “z” represents controlled variables (which can be mode-dependent), “u” 
represents control inputs (with subscript “p” denoting pilot input commands, and subscript “c” denoting control 
system commands), “n” represents noise signals, “f ’ represents failures (and in the case of jammed actuators, for 
example, can represent persistent asymmetric forces acting on the aircraft), and “d” represents external disturbances. 
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Figure 9. GCS architecture for LOC prevention and recovery. 


Real-time assessment of flight safety is a key capability in providing improved onboard SA and control of 
aircraft operating under hazardous conditions. Assessment of flight safety (from a dynamics and control 
perspective) is inherently challenging because of the lack of a clear definition and the inherent nonlinear nature of 
events that lead to unsafe flight conditions. Moreover, flight safety assessment must be predictive to be the most 
beneficial. Near-term research into flight safety assessment will focus on failure detection, isolation, and mitigation 
(FDIM), vehicle impairment identification, energy state estimation, and LOC prediction. Control component 
failures are the focus of FDIM, with an emphasis on ensuring the integrity of the key sensors required for the flight 
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safety assessment, upset prevention, and LOC prevention components. Energy state monitoring is based on current 
and predicted energy state and rate of change. This information is needed to prevent upsets resulting from loss of 
energy state awareness (LESA), particularly low-speed stalls. LOC prediction is based on the metrics defined in 
Ref. 9 or alternate metrics, and is included to provide advance warning of impending LOC so that unrecoverable 
conditions can be prevented. LOC is quantified in Ref. 9 by the exceedence of three or more of the five envelopes 
defined therein. Therefore, in the event of vehicle impairment, these envelopes would need to be updated by the 
maneuverability and envelope constraint estimation subsystem. As indicated in Lig. 9, much of this information 
would be provided to the crew for improved SA and anticipatory guidance. Research is currently being conducted 
in icing effects detection and identification in the presence of turbulence, 14-15 engine icing effects modeling and 
detection, 16 energy management, 17 LOC prediction, 18 and improved SA 19-20 . 

Resilient control and anticipatory guidance methods are also of key importance in preventing LOC accidents, 
and are indicated by the middle two subsystems of figure 9. These functions would supplement nominal aircraft 
systems, and would provide guidance information and control augmentations under LOC hazards when needed. 
Upset prevention technologies use information related to system failures or vehicle impairment conditions to 
dynamically determine changes to the safe operating envelopes of the impaired vehicle. This information is 
provided to the pilot and control system in the form of maneuverability and control constraints. The revised 
envelopes are also provided to the LOC prediction algorithms and for use in the generation of trajectories that can be 
safely flown by the impaired vehicle. These updated envelopes are also used by the resilient control system in 
providing a dynamic envelope protection capability for upset prevention. LOC prevention and recovery is 
accomplished through multiple hazards mitigation, early detection of vehicle upset, and upset recovery that ensures 
an unrecoverable state is not entered. Resilient control methods maintain stability and provide improved vehicle 
response and handling qualities under multiple hazards. These methods use all available control capability to 
overcome the effects of multiple hazards occurring individually or sequentially within a single LOC event. 

Upset onset detection methods are being developed for identifying vehicle upset at an early stage in the presence 
of control input errors by the crew (e.g., those resulting from spatial disorientation or loss of energy state awareness) 
as well as other adverse conditions arising from vehicle impairment conditions or external hazards. The upset 
detection algorithms must be able to distinguish between the onset of a vehicle upset condition and normal or 
aggressive maneuvering without false alarms or missed detections. The detection of an upset triggers the generation 
of a recovery mechanism (based on safe trajectories for the current vehicle, either nominal or impaired), and 
recovery guidance cues are provided to the pilot. If safe recovery is not achieved or is not achievable by the pilot 
within a safe timeframe, an automatic recovery mechanism is engaged. The upset recovery methods provide the 
capabilities for early upset recovery as well as recovery from fully developed upsets for both nominal and impaired 
(but recoverable) aircraft. 

The upset and recovery state of the vehicle is provided to the crew throughout for maintaining SA. Specialized 
flight deck technologies (being developed under CDM) are needed to provide this information to the crew in a clear 
and timely manner. Real-time modeling methods (e.g., system identification) are used in determining changes in 
vehicle dynamics resulting from icing, failures, or damage, as well as in determining changes to safe operating 
envelopes of the impaired vehicle. Research is currently being conducted in safe envelope estimation, 21 trajectory 
generation under vehicle constraints, 22 integration of dynamic envelope constraints into advance control methods, 23- 
24 integrated flight and propulsion control methods, 25 robust aeroservoelastic control methods 26 for (future) flexible 
aircraft, and upset recovery methods. 27-28 


IV. Technology Evaluation 

The VSST Project seeks to address cross-cutting aviation safety challenges that require integrated system 
effectiveness across technologies developed by the three technical challenges being addressed in VSST (see Fig. 3). 
Future vehicle-related safety considerations must mitigate emerging risks related to increasing automation and 
system complexity, increasing traffic density, new vehicle designs and materials, new operations, and greater fleet 
diversity. Technologies developed under VSST must enable the safe implementation of new capabilities (e.g., 
NextGen) and assure favorable outcomes under hazardous conditions (e.g., LOC precursors). While accomplishing 
this, it must be ensured that new vehicle safety technologies do no harm; i.e., that they themselves do not introduce 
new safety risks. The significant reduction of LOC as a key contributor to fatal aircraft accidents will require a 
coordinated effort among CDM, MVS, and ASC, and ultimately integrated system technologies that provide 
improved crew interfaces to support situation awareness and decision-making (CDM), real-time vehicle health 
management (MVS), and effective guidance and control under hazardous conditions (ASC). The safe realization of 
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NextGen will also require vehicle capabilities that span each of the VSST TCs. The upper component of Fig. 3 
represents the VSST subproject responsible for comprehensive testing and evaluation of the VSST technologies. 

The validation of integrated technologies for LOC prevention and recovery, such as the proposed system of 
Figure 9, is a challenging problem. 29 The objective of the evaluation process is to expose system weaknesses and 
vulnerabilities, and to identify safe and unsafe operational conditions, regions, and boundaries. The evaluation 
results should include a clear delineation of the coverage of LOC hazards provided by the proposed integrated 
system technologies. The following subsections provide an initial assessment of the potential effectiveness of the 
VSST technologies in terms of the approach of Fig. 6, and a brief discussion about technology validation. The 
preliminary assessment of potential technology effectiveness is similar to that presented in Ref. 5 for the AIRSAFE 
System concept. A full discussion about technology validation is provided in a companion paper (see Ref. 30). 


A. Potential Effectiveness in Preventing Aircraft LOC Accidents 

The technology development approach proposed in Ref. 5 was considered therein relative to its potential 
effectiveness in providing interventions at every stage of a generalized LOC sequence, and this approach appears to 
provide multiple intervention opportunities at all stages of the LOC sequence evaluated (see Fig. 6). A similar 
evaluation is presented in Figure 10 for the GCS architecture of Fig. 9 integrated with the VSST technologies of Fig. 
7. The colored arrows and associated text describes interventions at each stage of the LOC sequence associated with 
each of the technology development areas depicted in Fig. 2 and 9. That is, purple correlates to vehicle dynamics 
modeling and simulation technologies, green reflects vehicle health management technologies, blue is indicative of 
flight safety management and resilient control technologies, and yellow represents crew interface technologies. The 
interventions will be discussed relative to each stage in the LOC sequence moving from left to right to illustrate 
potential technology inventions. One should note, however, that all functions (except upset recovery) are running 
continuously. Upset recovery is triggered when an upset is detected. 

Starting at the left of Fig. 10, and before the flight even takes off, enhanced vehicle dynamics modeling methods 
provide insight into flight dynamics and control characteristics that occur under LOC hazards. The resulting 
improved database and models are used in developing LOC-enhanced simulations for improved crew training and 
resilient GCS system development and evaluation under realistic LOC conditions. Improved training methods 
provide a heightened ability to recognize vehicle upset conditions at an early stage and provide a higher level of 
manual handling proficiency. Improved design methods provide an inherent capability within the airframe and 
engine for failure prevention and containment. Once the flight takes off, flight safety state assessment technologies 
provide the capability to anticipate flight safety hazards or risks at initial inception or with some lead time, including 
sudden or significant changes to the vehicle energy state and LOC margin. The onboard modeling capability for 
characterizing hazards effects supports this assessment. Crew interface technologies provide the crew with 
notification of these flight safety impacts or risks. All of these technologies contribute to the avoidance of vehicle 
impairment and upset conditions, and, therefore, provide multiple opportunities for intervention very early in the 
LOC sequence. 

Once a vehicle impairment or external hazard condition has occurred, the crew is better prepared to appropriately 
respond as a result of improved preflight training under realistic LOC conditions and improved real-time SA under 
the LOC conditions as they unfold. The onboard modeling technologies allow for models and databases to be 
rapidly updated to reflect the actual LOC condition being experienced and its impacts. This enables the accurate 
detection of impairment and hazard conditions by the VHM system, as well as associated diagnostics, prognostics, 
and containment functions. Flight safety assessment and resilient control technologies enable rapid assessment and 
prediction of off-nominal condition impacts and risks, mitigation of these effects through automatic control or 
guidance to the crew, and determination of achievable trajectories that the aircraft can safely fly. More specifically, 
flight safety assessment algorithms include LOC margin predictions, energy state impacts, and estimated vehicle 
impairment effects. Upset prevention algorithms provide estimates of revised flight envelopes that define safe 
regions of vehicle operation, which are used to provide dynamic envelope protection. LOC prevention algorithms 
provide control augmentation that ensures stability and provides improved handling qualities under multiple LOC 
hazards. Crew interface technologies enable the rapid and effective communication of the LOC conditions and their 
effects to the crew for improved SA, as well as guidance and cueing on control constraints and how to safely fly the 
aircraft under the current conditions. Providing appropriate information to the crew in order to formulate an 
optimum response is crucial in a LOC precursor condition due to the unforgiving flight environment and rapid onset 
of catastrophic conditions. These technologies working together provide the capability to rapidly detect and 
mitigate LOC precursor conditions while preventing an inappropriate response by the crew. 
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Figure 10. Illustration of potential VSST technology effectiveness for LOC prevention and recovery 

based on an example LOC sequence. 

If an inappropriate crew response does occur, the flight safety management and resilient control technologies 
immediately detect LOC risk associated with the action (or inaction), and mitigate the effects to restore flight safety 
(e.g., to preserve LOC margin and a healthy energy state) while preventing a vehicle upset or damage. Dynamic 
envelope protection algorithms are working to prevent upsets, and upset detection algorithms are monitoring for the 
onset of a vehicle upset. Warnings are provided to the crew of impending flight safety risks associated with the 
inappropriate response (e.g., reduced LOC margin or energy state) and of mitigations being taken by the resilient 
system. Safe trajectories are generated for continuing the flight or landing the vehicle, and guidance for following 
them is provided to the crew. These technologies working together provide the capability to reduce the impact of 
inappropriate crew responses while mitigating the existing LOC precursor conditions and preventing a vehicle upset 
(or damage) condition. 

If a vehicle upset condition does occur, the flight safety management and resilient control technologies provide 
the capability to detect and arrest the upset early in its progression as well as the capability to effect a full recovery, 
while continuing to mitigate the existing LOC precursor conditions and prevent entry into an unrecoverable 
condition. Safe recovery trajectories are generated for accomplishing the recovery in the context of the other LOC 
precursor conditions being experienced so as to prevent vehicle damage during the recovery. Throughout the upset 
detection and recovery, energy state abnormalities are detected and a healthy energy state maintained or restored and 
a safe LOC margin restored. Throughout the upset event, key information is communicated to the crew for 
improved SA and effective/optimal involvement by the crew. Moreover, throughout the upset event the crew is 
better able to recognize the upset condition and understand its effect on vehicle dynamics and control because of 
improved crew training in upset conditions enabled by enhanced modeling and simulation of realistic LOC 
conditions. The crew is also better able to manually fly the aircraft because of improved training to retain these 
skills. Finally, onboard models and databases are updated for future LOC events. All of these technologies working 
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together provide the capability to mitigate the upset condition early in its inception and to fully recover from it while 
preventing a LOC accident from being the ultimate result. 


B. Technology Validation 

The integrated technologies depicted in Fig. 7 and 9 must be comprehensively evaluated using advanced 
analysis, simulation, and experimental test capabilities (see Ref. 29) to determine their effectiveness for LOC 
prevention and recovery. This is the subject of a companion paper. 30 Validation of the individual and the integrated 
technologies is essential in ensuring that they are effective in assuring safe vehicle operations under current and 
future LOC risks (see Fig. 5), and that they themselves do no harm. For example, error propagation between 
subsystems (e.g., missed detections, false alarms, incorrect identifications, and incorrect decisions) must be 
thoroughly assessed for impacts to integrated system performance. As indicated in Ref. 29, this requires a validation 
capability that enables comprehensive technology evaluation under varying levels of integration. It also requires 
evaluation under realistic LOC scenarios that enable an evaluation of the level of coverage related to current and 
future LOC risks. Reference 30 provides a preliminary set of LOC test scenarios for use in evaluating the GCS and 
integrated VSST technologies being developed for LOC prevention and recovery, as well as a summary of the 
current VSST research on technology validation for LOC applications. 


V. Summary and Concluding Remarks 

Aircraft loss of control is one of the largest contributors to aircraft fatal accidents worldwide, and is a subject of 
research being conducted within NASA’s Aviation Safety Program. This paper summarizes the near-term research 
approach being taken by NASA within the VSST Project for addressing LOC, with an emphasis on guidance, 
control, and systems technologies for LOC prevention and recovery. Hazards to be addressed over the next five 
years were determined based on an analysis of the most recent 1 0-year period from the accident set of Ref. 4 and a 
preliminary set of potential future hazards. It was determined that VSST research will focus on multiple hazards 
stemming from vehicle problems, external hazards, and crew errors. Vehicle-related hazards include system faults 
and failures and vehicle impairment conditions (airframe and engine) resulting from icing effects. External hazards 
include icing conditions and wake vortices, with wakes being considered as a potential future hazard resulting from 
high-density terminal area operations. Crew-related hazards include loss of energy state awareness and spatial 
disorientation, both of which can lead to various upsets including stalls and departures. The VSST research approach 
for addressing these hazards was presented, and a preliminary GCS architecture was defined. This architecture 
includes subsystems for flight safety assessment, upset prevention, and LOC prevention and recovery. Flight safety 
assessment will focus on failure detection, isolation, and mitigation, with an emphasis on sensors and control 
effectors, vehicle impairment identification for icing, energy state estimation, and LOC prediction. Upset prevention 
will focus on maneuverability and envelope constraint estimation, constrained trajectory generation, and dynamic 
envelope protection. LOC prevention and recovery will consist of resilient control methods for multiple hazards 
mitigation, upset onset detection, and upset recovery. Information from all of these subsystems will be provide to 
the crew. The potential effectiveness of this research was illustrated for an example LOC sequence, and a brief 
discussion of technology validation was presented. A full discussion of the validation of these technologies is 
presented in a companion paper (Ref. 30), as well as a preliminary set of LOC test scenarios for use in their 
evaluation. The LOC test scenarios are representative of the accident set analyzed in Ref. 4 as well as a set of future 
potential LOC risks, and includes a clear indication of their coverage. A LOC Working Group is being established 
to assist in identifying emergent risks, defining a complete set of LOC test scenarios, developing validation 
requirements, and facilitating technology transfer. 
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